feat: dbt project scanning (profiles.yml, models, macros, packages.yml)

[msaad00]

Context

dbt (data build tool) is the industry standard for data transformation. Security teams need to scan dbt projects for misconfigurations, credential exposure, and SQL injection risks — especially in CI/CD pipelines.

Related to DCM scanning (#1021) — DCM projects can embed dbt projects.

Security Risks to Scan

profiles.yml / profiles.yaml

• Hardcoded credentials (password, private_key_path, token)
• Connection strings with embedded passwords
• Missing SSL/TLS (require_ssl: false)
• Using password auth instead of key-pair or OAuth

dbt_project.yml

• clean-targets pointing outside project
• Unsafe dispatch configurations
• Missing require-dbt-version constraint (supply chain risk)

packages.yml / packages.yaml

• Unpinned package versions (revision: main instead of tag/sha)
• Private packages without integrity verification
• Packages from untrusted Git repos

SQL Models & Macros

• {{ var() }} used in raw SQL without quoting (SQL injection)
• run_query() with user-controlled input
• GRANT ALL in post-hooks
• Sensitive data in {{ log() }} calls
• {{ env_var() }} exposing secrets in compiled SQL

CI/CD

• dbt run without --fail-fast in production
• Missing dbt test in pipeline
• dbt seed with sensitive CSV data committed to Git

Implementation

• Add iac/dbt_security.py following iac/terraform_security.py pattern
• Rule IDs: DBT-SEC-001 through DBT-SEC-0XX
• Include in CI/CD scan type alongside Terraform, Dockerfile, Helm

Labels: enhancement, security, iac, v0.75.0